Malware Distribution: How Cybercriminals Build and Run Distribution Networks

Table of Contents

Most people think of malware in terms of individual files — a virus, a ransomware sample, a trojan. But behind every significant malware campaign is an infrastructure: a layered system of services, networks, hosting providers, and human collaborators that gets malware from the attacker's keyboard to victims' systems at scale. Understanding malware distribution infrastructure is essential for defenders who want to disrupt campaigns at the network level rather than playing whack-a-mole with individual samples.

The Malware-as-a-Service Ecosystem

Modern cybercrime has industrialized malware distribution. Different criminal specialists handle different parts of the chain:

Malware developers: Write and maintain the malicious code. Often independent vendors who license their tools.

Access brokers: Compromise systems and sell access — "200 RDP credentials, US corporate, $50 each."

Loaders/Distributors: Specialize in getting malware installed on victim systems at scale. The biggest criminal organizations in this space (Emotet, Qakbot, IcedID) became the preferred delivery mechanism for other criminals' payloads.

Ransomware affiliates: Purchase access from brokers, purchase deployment tooling, use loaders to spread, then share revenue with the ransomware developers.

Money mules: Handle the financial side — cryptocurrency laundering, bank account fraud.

Primary Distribution Mechanisms

Email Spam Infrastructure

Mass malicious spam requires substantial infrastructure:

Botnets for spam delivery: Infected consumer machines send spam from legitimate residential IP ranges that are harder to block than datacenter IPs. The Emotet botnet was used by other criminals as a spam delivery service.

Phishing kits: Pre-built credential phishing pages that can be quickly deployed on compromised websites. Sold on criminal forums.

Spam-as-a-Service: Criminal services that handle spam delivery for other criminals — you provide the payload, they deliver the emails.

Traffic Distribution Systems (TDS)

A Traffic Distribution System is a criminal routing infrastructure that filters and redirects victims. When a user clicks a malicious link, the TDS:

  1. Analyzes the visitor's IP, browser, operating system, and geolocation
  2. Filters out sandbox IPs, security researcher IPs, and countries outside the target audience
  3. Redirects legitimate victims to exploit kits or phishing pages
  4. Redirects researchers and security bots to benign content

Famous TDS operators: BlackTDS, Prometheus TDS, 404 TDS — these are criminal services used by multiple threat actors simultaneously.

Exploit Kits

Exploit kits (EKs) are web-based platforms that probe visiting browsers for vulnerabilities and automatically install malware on vulnerable systems — no user click required beyond visiting the page.

The "golden age" of exploit kits (2012–2016) saw kits like Blackhole, Angler, RIG, and Nuclear responsible for millions of infections. Law enforcement operations took down many major kits, but RIG EK and Magnitude EK remain active in 2025.

EKs exploit browser vulnerabilities, plugin vulnerabilities (historically Flash and Java), and OS vulnerabilities.

Malvertising Networks

Malvertising injects malicious ads into legitimate advertising networks. When displayed on legitimate websites, these ads can trigger drive-by downloads or redirect victims to exploit kit landing pages.

Malvertising campaigns have targeted advertising networks serving Forbes, The New York Times, and many other major publishers — the publishers are not complicit, they're victims of a compromised advertising supply chain.

SEO Poisoning

SEO poisoning involves creating or compromising websites that rank for specific search terms commonly used when people need software. Someone searching "free PDF editor download" might encounter SEO-poisoned results pointing to malware-laden installers.

Attackers are skilled at manipulating search rankings through expired domain purchase, link networks, and rapid content generation targeting software-related queries.

Hosting Infrastructure

Bulletproof Hosting (BPH)

Bulletproof hosting providers offer hosting services with a deliberate policy of ignoring abuse complaints and law enforcement requests. Operating primarily in Russia, Eastern Europe, and certain offshore jurisdictions, BPH providers host C2 servers, phishing pages, and malware download servers with minimal risk of takedown.

Famous BPH providers: Troyak (taken down by Microsoft), McColo (taken down by ISPs after researchers exposed it), Yalishanda (long-running BPH operation).

Fast-Flux Networks

Fast-flux is a DNS evasion technique where C2 domain names point to rapidly rotating IP addresses — sometimes changing every few seconds. This makes the infrastructure resilient to takedowns because blocking one IP immediately gives way to another.

A double-flux network also rotates the DNS servers (name servers) themselves, making the entire infrastructure extremely resilient.

Domain Generation Algorithms (DGA)

Instead of using a fixed C2 domain (which can be registered and sinkhled), DGA malware generates hundreds or thousands of domain names algorithmically. The attacker registers only the ones they want to use; malware tries all generated names until one connects.

Sinkholing a DGA domain provides threat intelligence but doesn't disable the malware because it has thousands of backup domains.

Distribution at Scale: The Loader Economy

Loaders are malware designed specifically to install other malware. They're the distribution layer:

  1. A loader is delivered via phishing email
  2. The loader establishes persistence, identifies the victim system
  3. The loader checks in with C2 and receives instructions for what to install
  4. The loader downloads and executes secondary payloads (ransomware, banking trojans, etc.)

Emotet (before its 2021 takedown) was the most sophisticated loader operation, infecting hundreds of thousands of systems and "renting" access to other criminal groups. Qakbot (disrupted in 2023) had a similar model. Both have seen revival attempts following law enforcement actions.

Disrupting Distribution Infrastructure

Defenders can disrupt campaigns by targeting infrastructure rather than just endpoints:

Sinkholing: Security researchers or law enforcement register C2 domains before malware operators, redirecting victim traffic to a sinkhole server for intelligence collection and blocking.

Domain takedowns: Coordinating with domain registrars to suspend malicious domains.

ISP cooperation: Blocking or filtering bulletproof hosting IP ranges at the ISP level.

Botnet takedowns: Law enforcement operations to seize C2 servers and notify infected users — as happened with Emotet (2021), Qakbot (2023), and LockBit (2024).

FAQ

Why is malware distribution so hard to stop?
Jurisdictional fragmentation — different parts of the infrastructure are in different countries with different laws and different law enforcement cooperation levels. Criminal infrastructure is also designed for resilience and rapid reconstitution.

What's a sinkhole and how does it help?
A sinkhole is a server researchers operate that masquerades as a malware C2. By registering C2 domains before or after criminals, researchers redirect victim traffic and can identify infected IPs, providing data for remediation.

How does bulletproof hosting differ from normal hosting?
Normal hosting providers respond to abuse reports and cooperate with law enforcement. BPH providers explicitly don't — they're a service specifically designed for criminal customers willing to pay premium prices for guaranteed hosting.


This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.

Sc

ScamSandbox Team

Cybersecurity Expert at ScamSandbox

Share: